Set up a refurbished C3560X wuth the C3560E Image having inter-vlan routing issues. Need help.

PhoenixMyers65897 · ‎02-24-2020

Hello,

I need to first preface that I have a brain injury, so if I forgot to post any details here, I will be happy too do so. I a, setting up a "new"-to me Cisco 3560X with the upgraded E image:

show ver:

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.2(4)E4, RELEASE SOFTWARE (fc2)

show lic:

coresw1#show lic
Index 1 Feature: ipservices
Period left: Life time
License Type: PermanentRightToUse
License State: Active, In Use
License Priority: High
License Count: Non-Counted

Index 2 Feature: ipbase
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted

Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted

I created a routed interface to my temporary router (COX Communications cable internet). it is currently using subnet 192.168.0.0/24 and its ip is 192.168.0.1. From the routed interface:

coresw1#show run int gi0/1
Building configuration...

Current configuration : 115 bytes
!
interface GigabitEthernet0/1
description VL11-COX_WAN
no switchport
ip address 192.168.0.2 255.255.255.0
end

I am able to ping to 4.2.2.2.

here is a copy of my sho ip int br, excluding the disabled and unassigned interfaces:

coresw1#show ip int br | e una|diasb
Interface IP-Address OK? Method Status Protocol
Vlan30 10.72.30.1 YES manual up down
Vlan33 10.72.33.1 YES manual up up
GigabitEthernet0/1 192.168.0.2 YES manual up up

From any VLAN ie VLAN 33 (network: 10.72.33.0.24 - ip 10.72.33.1) I cannot ping to 4.2.2.2.

I did add in a default route and routing IS enabled: ip route 0.0.0.0 0.0.0.0 192.168.0.1

here is my "debug ip icmp":

*Jan 4 00:29:29.049: ICMP: echo reply sent, src 10.72.33.1, dst 10.72.30.1, topology BASE, dscp 0 topoid 0
*Jan 4 00:29:30.056: ICMP: echo reply sent, src 10.72.33.1, dst 10.72.30.1, topology BASE, dscp 0 topoid 0
*Jan 4 00:29:31.063: ICMP: echo reply sent, src 10.72.33.1, dst 10.72.30.1, topology BASE, dscp 0 topoid 0
Feb 24 20:20:14.875: %SYS-5-CONFIG_I: Configured from console by console
Feb 24 20:27:50.181: ICMP: dst (10.72.33.1) port unreachable sent to 10.72.33.1
Feb 24 20:27:50.181: ICMP: dst (10.72.33.1) port unreachable rcv from 10.72.33.1
Feb 24 20:27:59.198: ICMP: dst (10.72.33.1) port unreachable sent to 10.72.33.1
Feb 24 20:27:59.198: ICMP: dst (10.72.33.1) port unreachable rcv from 10.72.33.1

Here is my "show ip route":

coresw1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.72.33.0/24 is directly connected, Vlan33
L 10.72.33.1/32 is directly connected, Vlan33
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/1
L 192.168.0.2/32 is directly connected, GigabitEthernet0/1

Here is my entire show run as well (this is a very basic running config still):

! Last configuration change at 20:43:58 UTC Mon Feb 24 2020
! NVRAM config last updated at 20:44:01 UTC Mon Feb 24 2020
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname coresw1
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
system mtu routing 1500
!
!
!
!
ip routing
!
!
!
!
shutdown vlan 99
!
!
!
!
!
!
!
!
license boot level ipservices
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet0/1
description VL11-COX_WAN
no switchport
ip address 192.168.0.2 255.255.255.0
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
switchport access vlan 33
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet0/4
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/5
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/6
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/7
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/8
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/9
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/10
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/11
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/12
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/13
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/14
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/15
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/16
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/17
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/18
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/19
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/20
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/21
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/22
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/23
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/24
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/25
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/26
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/27
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/28
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/29
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/30
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/31
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/32
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/33
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/34
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/35
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/36
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/37
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/38
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/39
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/40
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/41
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/42
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/43
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/44
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/45
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/46
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/47
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet0/48
switchport access vlan 99
switchport mode access
shutdown
!
interface GigabitEthernet1/1
shutdown
!
interface GigabitEthernet1/2
shutdown
!
interface GigabitEthernet1/3
shutdown
!
interface GigabitEthernet1/4
shutdown
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
description VL30-SSID-OneUp-5GUI
ip address 10.72.30.1 255.255.255.0
!
interface Vlan33
description VL33-Tr-WuredNet
ip address 10.72.33.1 255.255.255.0
!
ip default-gateway 192.168.0.2
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
!
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
ntp server 23.239.26.89
!
end

Here is my basic topology in text:

VLAN 30 10.72.30.1 (/24) is a trusted wifi network (soon to be)

VLAN 33 10.72.33.1 (/24) is my management vlan

Why does this config at least allow me to ping vlan 33 to vlan 30 and so fourth) why does the default route not work as well? Once I can migrate to this switch I plan to add in more VLANs. I just need to get help with the two vlans as a good example for me to get started.

Again, I apologize if this is convoluted in any way and I checked and did not see any passwords there.

Thank you again so much for any help given. This is for my own knowledge at my home, I am trying to get my skills restored and having trouble remembering things.

Ms. Phoenix Myers

Jon Marshall · ‎02-24-2020

Firstly the router will need to have routes for your 10.x.x.x subnets eg.

ip route 10.72.30.0 255.255.255.0 192.168.0.2

ip route 10.72.33.0 255.255.255.0 192.168.0.2

the above is Cisco syntax but it should hopefully give you the idea.

Secondly you will need to setup NAT on the router for the 10.72.3x.x IPs.

Your switch will not support NAT so if the router does not support that then your setup is not going to work.

Jon

PhoenixMyers65897 · ‎02-24-2020

I plan to build a new pfsense VM for my route on this after I get migrated, the router now is just a normal home based router so I dont have the ability to set NAT, if that would block my internet pings from a VLAN then my priority is then why VLAN 33 cannot ping to VLAN 30, and so fourth. Earlier I tried to add in a route for those two vlans and it didnt seem to work, I will add routes for the two vlans now and post my results. Thanks!

Edit: just to confirm, I am using a layer 3 C3560) switch with IP routing enabled, the switch SHOULD be able to route vlan to vlan?

PhoenixMyers65897 · ‎02-24-2020

Hello, here is my results:

coresw1>en
coresw1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
coresw1(config)#ip route 10.72.30.0 255.255.255.0 192.168.0.2
%Invalid next hop address (it's this router)

It wont let me reference the switch as a route hop apparently, pointing the subnets to a router would defeat the purpose of a layer 3 switch wouldn't it? The switch SHOULD be able to route packets between the two vlans, they are also local vlan's.

I just would like to send all of my internal traffic thru the switch only if the source and destination are all local to the switch then point internet traffic to the router for external connectivity.

Jon Marshall · ‎02-24-2020

Those routes were meant to be added to to your router not your switch, I only used Cisco syntax to give you the idea.

The reason you can’t ping between your vlans is because you have not assigned any port to vlan 30 so the L3 interface for vlan 30 is not up ie. check your routing table on the switch and you can see there is no entry for 10.72.30.0/24.

Jon

PhoenixMyers65897 · ‎02-25-2020

Hello and I apologize for the late reply,

A few things stands out at me here, if I understand correctly then, the router still has to carry the traffic tfrom one vlan to another? I am trying to understand the logic in it. I have devices that are on separate VLANS that fail to reconnect if I down the whole network, like a long power outage lets say, but when I go into the devices and rescan for them after the network including the pfsense right now to actually be up, what I am trying to do is have a multiple vlan routed internal network, this is for trying to get my knowledge back up. My thought was to bring the switch up so all the internal stuff is up already then boot the devices up so that the routes can be seen. Some of these devices would be like a storage lun from a NAS on another vlan - all of this part is unrelated, just want to explain my logic.

On to the issue though, I did hook up a ethernet cable into my layer2 switch (2960s-migrating from), my thinking is to create the vlan to the pfsense and to trunk that port on both sides and set up the ip information and routes that way I can migrate to the new switch and keep the same vlan info. My pfsense is a VM as well.

I hope this helps clear some of the things up on my end as well. Ill hope my understanding is correct and will try it out since I also have a console cable hooked up.

Jon Marshall · ‎02-25-2020

Previous posts done on phone so to explain in a bit more detail.

Routing is a two way thing ie. the outbound path and the inbound path.

So you have added a default route on your switch pointing to the router which takes care of the outbound traffic from your vlans but from the router's perspective it does not know about the 10.72.3x subnets because you haven't told it about them.

So those routes would need to be added to your router (obviously not Cisco) and then it would know how to get to those subnets.

In terms of the pinging between the 10.72.3x. subnets as I say the issue is that the L3 interface ("int vlan 30") is not up because there is no port assigned to it.

For a L3 vlan interface to be up either -

1) a port must be assigned to that vlan (switchport access vlan x) and that port must be up/up

or

2) a trunk port must have that vlan allowed and be up/up

you don't have either for your vlan 30 so the L3 interface is down.

Adding a pfSense will make it easier to sort out and by all means come back if you need help with setting it all up.

Jon